On Wednesday, August 14, 2019 at 9:05:24 AM UTC-5, LinuxDan wrote:
> Your response makes perfect sense. I am planning to use FreeIPA/Red Hat > Identity Manager which uses SSSD to do everything you describe for your > house. > > I want to be able to manage aspects of the user home directories for > hardening purposes - permissions, no dot-netrc files, that sort of thing. > > To the best of my knowledge and my ability to interpret the docs, User resources don't provide for any such thing, nor are they a prerequisite for such management. > In your experience, is it possible for an LDAP-authenticating login to > have a user resource at all ? If not, I will have to consider a shotgun > approach to the home-dir management. > It ought to be *possible*, but I don't think it would be *useful* for a system with an effectively read-only user database. If your idea is to have a list of users for each machine under management, then User resources do not advance that objective -- it is easier and better to represent a prescriptive user list in external data, and if you want to expose that for use by multiple classes then a class variable will serve that purpose nicely (and in fact, I do exactly that). If you're looking instead for an adaptive list, of users who are observed to have home directories on the system, say, then a custom fact is definitely the way to go. I note, however, that although I know and manage which users are authorized to log in to each of my machines, I do not manage the permissions on or contents of their home directories. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/cbc79ece-7582-439c-b8b4-1d8be708e2a4%40googlegroups.com.
